Steam telepítése
belépés
|
nyelv
简体中文 (egyszerűsített kínai)
繁體中文 (hagyományos kínai)
日本語 (japán)
한국어 (koreai)
ไทย (thai)
Български (bolgár)
Čeština (cseh)
Dansk (dán)
Deutsch (német)
English (angol)
Español - España (spanyolországi spanyol)
Español - Latinoamérica (latin-amerikai spanyol)
Ελληνικά (görög)
Français (francia)
Italiano (olasz)
Bahasa Indonesia (indonéz)
Nederlands (holland)
Norsk (norvég)
Polski (lengyel)
Português (portugáliai portugál)
Português - Brasil (brazíliai portugál)
Română (román)
Русский (orosz)
Suomi (finn)
Svenska (svéd)
Türkçe (török)
Tiếng Việt (vietnámi)
Українська (ukrán)
Fordítási probléma jelentése
Hozzászólási szabályok és irányelvek
Hozzászólás jelentése
We should all want better options when it comes to security. At no point did anyone advocate for the elimination of Steam Guard, we only want better OPTIONS for MFA and account security. It's not controversial, it's not insulting, it's only people advocating for a better Steam experience for everyone.
We are. But I'd rather drive a hammer into that wall and leave a crack for others to be inspired by, than leave things as is. The audience to threads like these consists of greater numbers than just the people actively partaking.
So I’ve blocked a different user in this thread because they’re just being argumentative and unhelpful but it seems like you actually want to have a conversation here. If that’s true, I’m totally open to discussing this with you as long as we’re all on the same page that the following points are absolutely true:
1. We’re all real humans with feelings and ideas, and our objective here should be to have a civilized conversation about the given topic.
2. At the end of this conversation nothing will change because none of us work for valve or have the power to enact change and we may as well type these comments straight into a trash can.
If you’d like to keep talking about this, I’d love to.
We should still have other options for MFA
They decided not to implement this suggestion.
Was there a public statement where Valve flatly stated this?
Or is that just your own potentially very flawed inference based on the observable behavior that right now they implemented something different of their own - and haven't implemented standardized MFA solutions yet ?
There's a difference.
On a normal company one would safely infer it's a discarded feature or one so low in their priority stack it pretty much counts as a discard.
However we're talking Valve here and Valve Time is a very real thing.
Valve Time is a thing yes.
I mean; they literally are the meme's namesake, so yeah...
But more than that:
The fact that a company won't do something now, doesn't mean they won't do it later. And doesn't mean they'll never reconsider any existing internal evaluations. That would require some strong ideological opposition which in most cases results at some point in a public statement akin to "we won't ever do X, because Y."
I mentioned in other posts: big-tech and large digital service providers are all converging on the FIDO protocol suite as the next generation of means of authentication. At one point or other, Valve is going to be forced to join the party, or the public opinion is going to be one where they're judged old-fashioned; inconvenient; and the odd one out.
In 2015...
http://store.steampowered.com/news/19618/
You can read one of the original discussions on the matter here...
https://steamcommunity.com/groups/MobileAuthBeta/discussions/0/618459297893399975/
And let's just say that with the original announcement for the new mobile redesign back in 2019 when the Chat app was released, they had more than enough time to decide to add other forms of 2FA but didn't and released it to all users after nearly a 2 month beta.
With all due respect; those were also different times.
The very first attempt at standardizing protocols to communicate with external authenticators that managed to break into the consumer market was the 1.0 version of the very first FIDO standard (which didn't even support multi-factor authentication flows at the time, iirc) and that was finalized in December 2014. Everything else up 'til that point was basically 'every-vendor-for-themselves' in a Wild West.
And it wasn't until 2020~2021 that multi-platform compatible standardized 2FA could even take off, because it took that long for specifications to mature and for platform vendors to ensure support.
Initially, only Google and Samsung were doing anything with it. Apple was off doing its own thing; as was Microsoft. The push for standardized MFA didn't really hit ground until late 2020, when - surprise; surprise - we started to get decent support for the WebAuthentication APIs in browsers; where suddenly these external authenticators became relevant for a bevvy of internet-hosted services.
Which is why I said; you can't really judge Valve's passed non-action on this topic as a refusal to implement it. Because for a large part; at the time it would rightfully have been deemed highly experimental; risky to invest in; and financially not a sound idea - i.e. non-viable compared to a custom solution.
That is no longer the case now, sure. But right now, it is also harder for Valve to commit to a different strategy when they already have their app. So they're incrementally improving that instead.
I'm not going to argue that that is sunken cost fallacy. Because it isn't. Right now they're just going for the best/most improvement in the shortest time and against the lowest cost. But there's no telling whether future incremental steps will involve adding support for external authenticators based on FIDO or not.
It seems logical that at some point it would happen.
You still didn't address the trading confirmations part about the mobile app that can not be done with the other services.
FIDO protocols actually support something called "secure display" - an additional encrypted message payload that can be sent along with the signing challenge to be displayed on a separate hardware screen, or on a special tamper-proofed overlay that is separate from the OS - in case of an authenticator that is e.g. based on a TPM in a PC or secure enclave co-processor in a phone.
There's attestation support to read back what the capabilities of the screen on an authenticator is capable of as well. E.g. if it's text-only, or supports graphics; what color-depth; what resolution; etc. The service wanting to issue a challenge to the key can use this to prepare an appropriately formatted message.
Of course; that attestation support can also report that no screen is present, and then Steam could act on that by simply politely telling the user back on their primary screen that their choice of authenticator is insufficient to validate their trade securely and if they continue, the trade will be susceptible to the normal rules for trades only protected by lower-graded SteamGuard e-mail guard - i.e. will be held for X amount of days. Or the user can opt to switch to a different authenticator.
Because that's also an inherent part of FIDO auth flows: the ability to register multiple authenticators.
(More than that - it's actually a many-to-many relationship. An account can be linked to multiple authenticators; while an authenticator can also be linked to multiple accounts with the same service. Having something like a "shared family key" is a possibility, if that were your thing. And it could be done securely without any party using the authenticator being privy to the credentials of any other party.)
I've been harping on this issue for a while and this is the first genuine counterpoint that shows some of Valve's logic behind this decision. Sincerely, thank you for your input in this conversation.
I personally disagree with their decision to force their own MFA on people as there are other arguably better options out there. That being said, I know how decisions like this can move very slowly (or not at all) at the scale of a company like Valve so the lack of change on this makes sense. Plus having some semblance of control over their own users' security is likely very helpful for them despite being inconvenient for many of us.
Thanks again for the links, those were very informative.
I would prefer a thousand time to have my 2fa codes in my authentificator app even if I use the steam guard in supplement.
Futhermore as PassKeys (FIDO 2) are arriving, and that Apple, Google and Microsoft committed to accelerate the passwordless, sign in availability using PassKeys FIDO 2 [fidoalliance.org] the steam guard feels a little out runned, the integration in the different OS makes it way easier to log in that even the QR code scanning.
I would love to see my steam account truely passwordless.
Especially when microsoft makes a study that shows that passwords are the weakest authentication factor [www.forbes.com]